In this chapter, we will use the knowledge we have gained about ModSecurity to implement a protective ruleset for a real-world web application. The ruleset will be based on a positive security model, so anything which is not explicitly allowed through will be denied. You can compare the positive security model to a bouncer standing guard at a popular club. In his hand he has a list of all the celebrities that are allowed into the club. Anyone not on this list is denied entry. The positive security model works the same way—we explicitly define what is allowed and reject everything else.

We encountered the positive security model in the previous chapter when we saw how it could be implemented using the ...